Tags

,


Service Accounts are a very important to installing every version of SharePoint. Let’s take a look at the SharePoint 2016 Service Accounts that I recommend and used.

Account Description Local / Application Permissions Local Security Policy
SP_Admin This account will be used to Install and configure the SharePoint farm initially. After the initial setup, you can grant the farm administrator rights to your SharePoint Administrators account so they can log in and manage SharePoint with their own account. Domain User Back up files and directories
Local Administrator on the SharePoint Servers Debug Programs
Member of the following SQL Roles Manage auditing and Security log
Restore files and directories
DB Creator Take ownership of files or other objects
Security Admin
SP_Farm Runs the SharePoint Timer and Administration Service Domain User Allow log on locally
Member of the following SQL Roles Adjust memory quotas for a process
Impersonate a client after authentication
DB Creator Log on as a batch job
Security Admin Log on as a service
Replace a process level token
SP_Services Runs the Application Pool for most of your Service Applications. There are some service applications that require more rights and a dedicated Service Account is recommended. We’re converting those a bit lower in this blog post! Domain User Adjust memory quotas for a process
Log on as a batch job
Log on as a service
Replace a process level token
Impersonate a client after authentication
SP_Pool Runs the Application Pool for your Web Applications. Domain User Impersonate a client after authentication
Log on as a batch job
Lon as a service
SP_Crawl The Default Content Access Account for the Search Service Application. This account is sued to crawl the content of your SharePoint Web Applications. Domain User
This account needs to have Read Access on all your Web Applications (given automatically)
SP_Sync Used to synchronize profiles between AD and SharePoint Server 2016 Domain User Needs to have “Replicate Directory Changes” in the Active Directory  Tutorial here
SP_C2WTS Used to run the Claims to Windows Token Domain User Act as part of the operating system
Service Local Administrator on all SharePoint Servers running the C2WTS service Impersonate a client after authentication
Log on as a service
SP_SuperUser Object cache account (Super User). Must not be an account that will ever be used to log in to the site. Domain User
Full Control on your Web Applications
SP_SuperReader Object cache account (Super Reader). Must not be an account that will ever be used to log in to the site. Domain User
Full Read on your Web Applicationss
SP_SQLAdmin This account will be used to Install and configure the SQL Server initially. After the initial setup, you can grant the SQL Admin rights to your SQL Administrators account so they can log in and manage SQL with their own account. Domain User Back up files and directories
Local Administrator on the SQL Server Debug Programs
Manage auditing and Security log
Restore files and directories
Take ownership of files or other objects
SP_SQLEngine This account will run the Database Engine service Domain User Log on as a service
Replace a process-level token
Bypass traverse checking
Adjust memory quotas for a process
Perform Volume Maintenance Tasks (Only If you want to enable Instant File Initialization)
SP_SQLAgent This account will run the SQL Server Agent Service Domain User Log on as a service
Replace a process-level token
Bypass traverse checking
Adjust memory quotas for a process
Advertisements